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Abstract 



To produce a program guaranteed to satisfy a given specification one can synthesize it from a 
formal constructive proof that a computation satisfying that specification exists. This process is 
particularly effective if the specifications are written in a high-level language that makes it easy for 
designers to specify their goals. We consider a high-level specification language that results from 
adding knowledge to a fragment of Nuprl specifically tailored for specifying distributed protocols, 
called event theory. We then show how high-level knowledge-based programs can be synthesized 
from the knowledge-based specifications using a proof development system such as Nuprl. Methods 
of Halpern and Zuck II 19921 then apply to convert these knowledge-based protocols to ordinary 
protocols. These methods can be expressed as heuristic transformation tactics in Nuprl. 

1 Introduction 

Errors in software are extremely costly and disruptive. NIST (the National Institute of Standards and 
Technology) estimates the cost of software errors to the US economy at $59.5 billion per year One 
approach to minimizing errors is to synthesize programs from specifications. Synthesis methods have 
produced highly reliable moderate-sized programs in cases where the computing task can be precisely 
specified. One of the most elegant synthesis methods is the use of so-called correct-by-construction 
program synthesis IIBates and Constable 19851 IConstable et al. 1986II . Here programs are constructed 
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from proofs that the specifications aie satisfiable. That is, a constructive proof that a specification is 
satisfiable gives a program that satisfies the specification. Tliis method has been successfully used by 
several research groups and companies to construct large complex sequential programs, but it has not 
yet been used to create substantial realistic distributed programs. 

The Cornell Nuprl proof development system was among the first tools used to create correct-by- 
construction functional and sequential programs llConstable et al. 1 98611 . Nuprl has also been used 
extensively to optimize distributed protocols, and to specify them in the language of I/O Automata 
I IBickford, Kreitz, Renesse, and Liu 2001] Recent work by two of the authors IB ickford and Constable 20031 
has resulted in the definition of a fragment of the higher-order logic used by Nuprl tailored to specifying 
distributed protocols, called event theory, and the extension of Nuprl methods to synthesize distributed 
protocols from specifications written in event theory IIBickford and Constable 20031 . However, as has 
long been recognized |Fagin, Halpem, Moses, and Vardi 1995| , designers typically think of specifica- 
tions at a high level, which often involves knowledge-based statements. For example, the goal of a 
program might be to guarantee that a certain process knows certain information. It has been argued 
that a useful way of capturing these high-level knowledge-based specifications is by using high-level 
knowledge-based programs | |Fagin, Halpem, Moses, and Vardi 1995||Fagin, Halpem, Moses, and Vardi 1997| . 
Knowledge-based programs are an attempt to capture the intuition that what an agent does depends on 
what it knows. For example, a knowledge-based program may say that process 1 should stop sending 
a bit to process 2 once process 1 knows that process 2 knows the bit. Such knowledge-based pro- 
grams and specifications have been given precise semantics by Fagin et al. 1119951 11997,1 . They have 
already met with some degree of success, having been used both to help in the design of new protocols 
and to clarify the understanding of existing protocols HP work and Moses 19901 [Halpem and Zuck 1992[ 
Stulp and Verbrugge 2002| . 



In this paper, we add knowledge operators to event theory raising its level of abstraction and show 
by example that knowledge-based programs can be synthesized from constructive proofs that speci- 
fications in event theory with knowledge operators are satisfiable. Our example uses the sequence- 
transmission problem, where a sender must transmit a sequence of bits to a receiver in such a way that 
the receiver eventually knows arbitrarily long prefixes of the sequence. Halpern and Zuck 11 1 9921 pro- 
vide knowledge-based programs for the sequence-transmission, prove them correct, and show that many 
standard programs for the problem in the literature can be viewed as implementations of their high-level 
knowledge-based programs. Here we show that one of these knowledge-based programs can be syn- 
thesized from the specifications of the problem, expressed in event theory augmented by knowledge. 
We can then translate the arguments of Halpern and Zuck to Nuprl, to show that the knowledge-based 
program can be transformed to the standard programs in the literature. 

Engelhardt, van der Meyden, and Moses 1119981 1200111 have also provided techniques for synthesiz- 
ing knowledge-based programs from knowledge-based specifications, by successive refinement. We see 
their work as complementary to ours. Since our work is based on Nuprl, we are able to take advantage 
of the huge library of tactics provided by Nuprl to be able to generate proofs. The expressive power of 
Nuprl also allows us to express all the high-level concepts of interest (both epistemic and temporal) eas- 
ily. Engelhardt, van der Meyden, and Moses do not have a theorem-proving engine for their language. 
However, they do provide useful refinement rules that can easily be captured as tactics in Nuprl. 

The paper is organized as follows. In the next section we give a brief overview of the Nuprl system, 
review event theory, discuss the type of programs we use (distributed message automata), and show how 
automata can be synthesized from a specification. In Section |3] we review epistemic logic, show how it 
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can be translated into Nuprl, and show how knowledge-based automata can be captured in Nuprl. The 
sequence transmission problem is analyzed in Section |4l We conclude with references to related work 
and a discussion on future research in Section [S] 

2 Synthesizing programs from constructive proofs 
2.1 Nuprl: a brief overview 

Much current work on formal verification using theorem proving, including Nuprl, is based on type 
theory (see HConstable 1 for a recent overview). A type can be thought of as a set with structure that 
facilitates its use as a data type in computation; this structure also supports constructive reasoning. The 
set of types is closed under constructors such as x and — >, so that if A and B are types, so are ^ x i? 
and A B, where, intuitively, A ^ B represents the computable functions from A into B. 

Constructive type theory, on which Nuprl is based, was developed to provide a foundation for con- 
structive mathematics. The key feature of constructive mathematics is that "there exists" is interpreted 
as "we can construct (a proof of)". Reasoning in the Nuprl type theory is intuitionistic MBrouwer 19231 . 
in the sense that proving a certain fact is understood as constructing evidence for that fact. For example, 
a proof of the fact that "there exists x of type A" builds an object of type A, and a proof of the fact "for 
any object x of type A there exists an object y of type B such that the relation R{x, y) holds" builds a 
function / that associates with each object a of type A an object b of type B such that R{a, h) holds. 

One consequence of this approach is that the principle of excluded middle does not apply: while in 
classical logic, ip V holds for all formulas ip, in constructive type theory, it holds exactly when we 
have evidence for either ip or -k/?, and we can tell from this evidence which of and -199 it supports. 
A predicate Determinate is definable in Nuprl such that Determinate (p) is true iff the principle of 
excluded middle holds for formula p. (From here on in, when we say that a formula is true, we mean 
that it is constructively true, that is, provable in Nuprl.) 

In this paper, we focus on synthesizing programs from specifications. Thus we must formalize these 
notions in Nuprl. As a first step, we define a type Pgm in Nuprl and take programs to be objects of type 
Pgm. Once we have defined Pgm, we can define other types of interest. 

Definition 2.1: A program semantics is a function S of type Pgm Sem assigning to each program 
Pg of type Pgm a meaning of type Sem = 2'^'^™ . Sem' is the type of executions consistent with the 
program Pgm under the semantics S. A specification is a predicate X on Sem'. A program Pg satisfies 
the specification X if X{e) holds for all e in S{Pg). A specification X is satisfiable if there exists a 
program that satisfies X. | 

As Definition 12.11 suggests, all objects in Nuprl are typed. To simplify our discussion, we typically 
suppress the type declarations. Definition 12.11 shows that the satisfiability of a specification is definable 
in Nuprl. The key point for the purposes of this paper is that from a constructive proof that X is 
satisfiable, we can extract a program that satisfies X. 

Constructive type logic is highly undecidable, so we cannot hope to construct a proof completely 
automatically. However, experience has shown that, by having a large library of lemmas and proof tac- 
tics, it is possible to "almost" automate quite a few proofs, so that with a few hints from the programmer, 
correctness can be proved. For this general constructive framework to be useful in practice, the param- 
eters Pgm, Sem', and S must be chosen so that (a) programs are concrete enough to be compiled, (b) 
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specifications are naturally expressed as predicates over Sem' , and (c) there is a small set of rules for 
producing proofs of satisfiability. 

To use this general framework for synthesis of distributed, asynchronous algorithms, we choose 
the programs in Pgm to be distributed message automata. Message automata are closely related to 10- 
Automata | Lynch and Tuttle 1989 1 and are roughly equivalent to LW/7Y programs jChandy and Misra 1988 1 
(but with message-passing rather than shared-variable communication). We describe distributed mes- 
sage automata in Section [231 As we shall see, they satisfy criterion (a). 

The semantics of a program is the system, or set of runs, consistent with it. Typical specifications in 
the literature are predicates on runs. We can view a specification as a predicate on systems by saying that 
a system satisfies a specification exactly if all the runs in the system satisfy it. To satisfy criterion (b), we 
formalize runs as structures that we call event structures, much in the spirit of Lamport's 119781 model 
of events in distributed systems. Event structures are explained in more detail in the next section. We 
have shown IBickford and Constable 20031 that, although satisfiability is undecidable, there is indeed 
a small set of rules from which we can prove satisfiability in many cases of interest; these rules are 
discussed in Section [ 



2.2 Event structures 

Consider a set of processes or agents; associated with each agent i in is a set Xj of local 
variables. Agent i's local state at a point in time is defined as the values of its local variables at that 
time. We assume that the sets of local variables of different agents are disjoint. Information is com- 
municated by message passing. The set of links is Links. Sending a message on some link / € Links 
is understood as enqueuing the message on /, while receiving a message corresponds to dequeuing the 
message. Communication is point-to-point: for each link / there is a unique agent source{l) that can 
send messages on I, and a unique agent dest{l) that can receive message on I. For each agent i and link 
/ with source{l) = i, we assume that msg{l) is a local variable in Xj. 

We assume that communication is asynchronous, so there is no global notion of time. Following 
Lamport II1978II . changes to the local state of an agent are modeled as events. Intuitively, when an 
event "happens", an agent either sends a message, receives a message or chooses some values (perhaps 
nondeterministically). As a result of receiving the message or the (nondeterministic) choice, some of 
the agent's local variables are changed. 

Lamport's theory of events is the starting point of our formalism. To help in writing concrete and 
detailed specifications, we add more structure to events. Formally, an event is a tuple with three com- 
ponents. The first component of an event e is an agent i G AG, intuitively the agent whose local state 
changes during event e. We denote i as agent{e). The second component of e is its kind, which is either 
a link / with dest{l) = i or a local action a, an element of some given set Act of local actions. The only 
actions in Act are those that set local variables to certain values. We denote this component as kind{e). 
We often write kind{e) = rcv{l) rather than kind{e) = I to emphasize the fact that e is a receive event; 
similarly we write kind{e) = local{a) rather than kind{e) = a to emphasize the fact that a is a local 
action. The last component of e is its value v, a tuple of elements in some domain Val; we denote this 
component as val{e). If e is a receive event, then val{e) is the message received when e occurs; if e is 
a local event a, then val{e) represents the tuple of values to which the variables are set by a. (For more 
details on the reasons that led to this formalism, see [Bickford and Constable 2005]| .) 

Rather than having a special kind to model send events, we model the sending of a message on link 
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/ by changing the value of a local variable msg{l) that describes the message sent on /. A special value 
_L indicates that no message is sent when the event occurs; changing msg{l) to a value other than _L 
indicates that a message is sent on /. This way of modeling send events has proved to be convenient. 
One advantage is that we can model multicast: the event e of i broadcasting a message m to a group 
of agents just involves a local action that sets rasg{l) to m for each link / from i to one of the agents 
in the group. Similarly, there may be an action in which agent i sends a message to some agents and 
simultaneously updates other local variables. 

Following Lamport II1978I . we model an execution of a distributed program as a sequence of events 
satisfying a number of natural properties. We call such a sequence an event structure. We take an event 
structure es to be a tuple consisting of a set E of events and a number of additional elements that we 
now describe. These elements include the functions dest, source, and msg referred to above, but there 
are others. For example, Lamport assumes that every receive event e has a corresponding (and unique) 
event where the message received at e was sent. To capture this in our setting, we assume that the 
description of the event structure es includes a function send whose domain is the receive events in es 
and whose range is the set of events in es; we require that agent{send{e)) = source{l). Note that, 
since we allow multicasts, different receive events may have the same corresponding send event. 

For each i € ^G, we assume that the set of events e in es associated with i is totally ordered. This 
means that, for each event e, we can identify the sequence of events {history) associated with agent 
i that preceded e. To formalize this, we assume that, for each agent i € AG, the description of es 
includes a total order -<i on the events e in es such that agent{e) = i. Define a predicate first and 
function pred such that first (e) holds exactly when e is the first event in the history associated with 
agent{e) in es; if first{e) does not hold, then pred{e) is the unique predecessor of e in es. Following 
Lamport II1978I . we take -< to be the least transitive relation on events in es such that send{e)^e if e is 
a receive event and e^e' if e^^e'. We assume that -< is well-founded. We abbreviate (e'^e) V (e = e') 
as e'^e, or e^e'. Note that is defined only for events associated with agent i: we write e~<ie' only if 
agent{e) = agent{e') = i. 

The local state of an agent defines the values of all the variables associated with the agent. While 
it is possible that an event structure contains no events associated with a particular agent, for ease of 
exposition, we consider only event structures in which each agent has at least one local state, and denote 
the initial local state of agent i as initstatei. In event structures es where at least one event associated 
with a given agent i occurs, initstatei represents i's local state before the first event associated with 
i occurs in es. Formally, the local state of an agent i is a function that maps Xi and a special sym- 
bol valj to values. (The role of valj will be explained when we give the semantics of the logic.) If 
X € Xi, we write s{x) to denote the value of x in i's similarly, s(valj) is the value of valj in s. If 
agent{e) = i, we take state before e to be the local state of agent i before e; similarly, state after e 
denotes z's local state after event e occurs. The value {state after e){x) is in general different from 
{state before e){x). How it differs depends on the event e, and will be clarified in the semantics. We 
assume that {state after e)(valj) = val{e); that is, the value of the special symbol valj in a local 
state is just the value of the event that it follows. If x € Xj, we take x before e to be an abbreviation 
for {state before e){x); that is, the value of x in the state before e occurs; similarly, x after e is an 
abbreviation for {state after e){x). 

Example 2.2: Suppose that Act contains send and send+inc{x), where x G Xi, and that Val contains 
the natural numbers. Let n and v be natural numbers. Then 
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• the event of agent i receiving message m on link / in the event structure es is modeled by the 

tuple e = (i, I, m), where agent{e) = i, kind{e) = rcv{l), and val{e) = m; 

• the event of agent i sending message n on Unk / in es is represented by the tuple e = {i, send, m), 
where msg{l) after e = m; 

• the event e of agent i sending m on link I and incrementing its local variable x by v in es is 
represented by the tuple e such that agent{e) = i, kind(e) = send+mc{x), and val{e) = {m, v), 
where msg{l) after e = m and x after e = x before e + v. 

Definition 2.3: An event structure is a tuple es = {AG, Links, source, dest, Act, {Xi}i^AG: ^o-U 
{imtstatei}i^AG 1 E, agent, send, first, {~<i}ieAG, ~<) where is a set of agents, Links is a set of 
links such that source : Links — > AG, dest : Links — > AG, Act is a set of actions, Xi is a set of 
variables for agent i e AG such that, for all links I G Links, msg{l) G Xj if i = source{l), Val is a 
set of values, initstatci is the initial local state of agent i G AG, £^ is a set of events for agents AG, 
kinds Kind = Links U Act, and domain Val, functions agent, send and first are defined as explained 
above, ^^s are local precedence relations and -< is a causal order such that the following axioms, all 
expressible in Nuprl, are satisfied: 

• if e has kind rcv{l), then the value of e is the message sent on / during event send{e), agent{e) = 
dest{l), and agent (sendee)) = source{l): 

Ve G es.yi. {kind{e) = rcv{l)) =^ 
{val{e) = msg{l) after send{e)) A {agent{e) = dest{l)) A {agent{send{e)) = source{l)) 

• for each agent i, events associated with i are totally ordered: 

Ve G es.ye' G es.{agent{e) = agent{e') = i e^^e' V e'^^e V e = e'). 

• e is the first event associated with agent i if and only if there is no event associated with i that 
precedes e: 

Ve G es Vi. {agent{e) = i) => {first{e) <^ Ve' G es. -i(e'^je)). 

• the initial local state of agent i is the state before the first event associated with i, if any: 

Vi. (Ve G es. {agent{e) = i ^ {first{e) <^ {state before e = initstatci)))). 

• the predecessor of an event e immediately precedes e in the causal order: 

Ve G es. Vi. {{agent{e) = i) A ^first{e)) ^ 

{{pred{e)^ie) A (Ve' G es. ^{pred{e)^ie' ^ic))). 

• the local variables of agent agent {e) do not change value between the predecessor of e and e: 

Ve G es. Mi. {agent{e) = i A ^first{e)) =^ 

Wx G Xj. {x after pred{e) = x before e). 
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• the causal order -< is well-founded: 

VP. (Ve. (Ve'^e. P(e')) P(e)) ^ (Ve. P(e)), 

where P is an arbitrary predicate on events. (It is easy to see that this axiom is sound if -< is 
well-founded. On the other hand, if -< is not well-founded, then let P be a predicate that is false 
exactly of the events e such that there there is an infinite descending sequence starting with e. In 
this case, the antecedent of the axiom holds, and the conclusion does not.) 

In our proofs, we will need to argue that two events e and e' are either causally related or they are 
not. It can be shown IIBickford and Constable 20031 that this can be proved in constructive logic iff the 
predicate first satisfies the principle of excluded middle. We enforce this by adding the following axiom 
to the characterization of event structures: 

Ve € es. Determinate{first{e)) . 

The set of event structures is definable in Nuprl (see fBick ford and Constable 20031 ). We use event 
structures to model executions of distributed systems. We show how this can be done in the next section. 

2.3 Distributed message automata 

As we said, the programs we consider are message automata. Roughly speaking, we can think of 
message automata as nondeterministic state machines, though certain differences exist. Each basic 
message automaton is associated with an agent i; a message automaton associated with i essentially 
says that, if certain preconditions hold, i can take certain local actions. (We view receive actions as 
being out of the control of the agent, so the only actions governed by message automata are local 
actions.) At each point in time, i nondeterministically decides which actions to perform, among those 
whose precondition is satisfied. We next describe the syntax and semantics of message automata. 

2.3.1 Syntax We consider a first-order language for tests in automata. Fix a set of agents, a 
set Xi of local variables for each agent i in AG, and a set X* of variables that includes Ui^AG^i (but 
may have other variables as well). The language also includes special constant symbols valj, one for 
each agent i G AG, predicate symbols in some finite set V, and function symbols in some finite set 
T. Loosely speaking, valj is used to denote the value of an event associated with agent i; constant 
symbols other than vali, . . . , val„ are just 0-ary function symbols in We allow quantification only 
over variables other than local variables; that is, over variables x ^ Ui^^AG^i- 

Message automata are built using a small set of basic programs, which may involve formulas in the 
language above. Fix a set Act of local actions and a set Links of links between agents in AG^ There 
are five types of basic programs for agent i: 

• @i initially ^; 

• @i if kind = k then x := t, where k € Act U Links and x ^ Xi; 

'We are being a little sloppy here, since we do not distinguish between an action a and the name for the action that appears 
in a program, and similarly for links and the variables in Xi. 
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• @i kind = local{a) only if ip; 

• @i if necessarily ip then i.o. kind = local{a) \ and 

• @i only L affects x, where L is a list of kinds in Act U Links and x € Xj. 

Note that all basic program for agent i are prefixed by @1 

We can form more complicated programs from simpler programs by composition. We can compose 
automata associated with different agents. Thus, the set (type) Pgm of programs is the smallest set that 
includes the basic programs such that if Pgi and P52 programs, then so is Pgi © 

2.3.2 Semantics We give semantics by associating with each program the set of event structures 
consistent with the program. Intuitively, a set of event structures is consistent with a distributed message 
automaton if each event structure in the set can be seen as an execution of the automaton. The semantics 
can be defined formally in Nuprl as a relation between a distributed program Pg and an event structure 
es. In this section, we define the consistency relation for programs and give the intuition behind these 
programs. 

In classical logic, we give meaning to formulas using an interpretation. In the Nuprl setting, we are 
interested in constructive interpretations I, which can be characterized by a formula ipj. We can think 
of Lpi as characterizing a domain Vali and the meaning of the fuction and predicate symbols. If / is an 
interpretation with domain Vali, an I -local state for i maps Xi U {valj} to Valf, an I -global state is 
a tuple of /-local states, one for each agent in AG. Thus, if s = (si, . . . , s„) is an /-global state, then 
Si is i's local state in s. (Note that we previously used s to denote a local state, while here s denotes a 
global state. We will always make it clear whether we are referring to local or global states.) 

For consistency with our later discussion of knowledge-based programs, we allow the meaning of 
some predicate and function symbols that appear in tests in programs to depend on the global state. We 
say that a function or predicate symbol is rigid if it does not depend on the global state. For example, 
if the domain is the natural numbers, we will want to treat +, x, and < as rigid. However, having the 
meaning of a function or predicate depend on the global state is not quite as strange as it may seem. 
For example, we may want to talk about an array whose values are encoded in agent I's variables xi, 
X2, and 2:3. An array is just a function, so the interpretation of the function may change as the values 
of xi, X2, and 2:3 change. For each nonrigid predicate symbol P and function symbol / in P U we 
assume that there is a predicate symbol P+ and function symbol whose arity is one more than that 
of P (resp., /); the extra argument that is a global state. We then associate with every formula ip and 
term t that appears in a program a formula and term t+ in the language of Nuprl. We define Lp'^ 
by induction on the structure of ip. For example, for an atomic formula such as P{c), if P and c are 
rigid, then (P(c))^ is just P{c). If P and c are both nonrigid, then (P(c))+ is P+(c+(s),s), where s 
is a variable interpreted as a global stateJl We leave to the reader the straightforward task of defining 
tp'^ and for atomic formulas and terms. We then take (99 A ifj)'^ = ip^ A tp^, {^(p)~^ = and 
(Vx(/9)+ = \/xip~^. 

An I -valuation V associates with each non-local variable (i.e., variable not in UifzAG^-i) ^ value in 
Valj. Given an interpretation /, an /-global state s, and an /-valuation V, we take Iv{^){s) to be an 

^Here we are deliberately ignoring the difference between sets and types. 

'since Nuprl is a higher-order language, there is no problem having a variable ranging over global states that is an argument 
to a predicate. 
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abbreviation for the formula (expressible in NuprI) that says (/?/ together with the conjunction of atomic 
formulas of the form x = V{x) for all non-local variables x that appear imp, x = Si{x) for variables 
X G Xi, i £ AG, that appear in ip, and s = s implies Thus, Iy{ip){s) holds if there is a constructive 
proof that the formula that characterizes / together with the (atomic) formulas that describe V{x) and 
s, and a formula that says that s is represented by s, imply 93+. It is beyond the scope of this paper 
(and not necessary for what we do here) to discuss constructive proofs in Nuprl; details can be found 
in llConstable et al. 198 61. However, it is worth noting that, for a first-order formula tp, if Iv{^){s) 
holds, then (p^ is true in state s with respect to the semantics of classical logic in /. The converse is 
not necessarily true. Roughly speaking, Iv{^p){s) holds if there is evidence for the truth of 99+ in state 
s (given valuation V). We may have evidence for neither ip~^ nor -k/?"*". We also take Iv'(t)(s) to be the 
value V such that there is a constructive proof of /y(t = v){s). Note that this says that, just as we may 
not have evidence for either tp nor -tip in constructive logic, not all terms are computable in Nuprl and 
ly (t)(s) may not be defined for all terms and states s. 

A formula ip is an i-formula in interpretation I if its meaning in I depends only in i's local state; 
that is, for all global states s and s' such that Si = s[, Iv{<p){s) holds iff Iy{(p){s') does. Similarly, 
t is an i-term in I if x = t is an f-formula in I, for x a non-local variable. It is easy to see that ip 
is an i-formula in all interpretations / if all the predicate and function symbols in ip are rigid, and ip 
does not mention variables in Xj for j ^ i and does not mention the constant symbol valj for j ^ i. 
Intuitively, this is because if we have a constructive proof that ip holds in s with respect to valuation V, 
and ip is an f-formula, then all references to local states of agents other than i can be safely discarded 
from the argument to construct a proof for ip based solely on Sj. If ip is an i-formula, then we sometimes 
abuse notation and write lY{ip){si) rather than /y((^)(s). Note that the valuation V is not needed for 
interpreting formulas whose free variables are all local; in particular, V is not needed to interpret i- 
formulas. For the rest of this paper, if the valuation is not needed, we do not mention it, and simply 
write I{ip). Given a formula ip and term t, we can easily define Nuprl formulas i-formula{p,I) and 
i-term{t,I) that are constructively provable if ip is an i-formula in / (resp., t is an i-term in /). 

We define a predicate Consistent i on programs and event structures such that, intuitively. Consistent j 
{Pg, es) holds if the event structure es is consistent with program Pg, given interpretation /. We start 
with basic programs. The basic program @i initially ip is an initialization program, which is intended 
to hold in an event structure es if ip is an i-formula and i's initial local state satisfies ip. Thus, 

Consistent I {@i initially ip, es) =def i-formula{ip , I) A I{ip){initstatei). 

(This notation implicitly assumes that initstatei is as specified by es, according to Definition 12. II For 
simplicity, we have opted for this notation instead of es. initstatei.) 

We call a basic program of the form @i if kind = k then x := t an effect program. It says that, if 
t is an i-term, then the effect of an event e of kind k is to set x to t. We define 

Consistent I {@i if kind = k then x := t, es) =def 
i-term{t,I) f\\le@i € es. {kind{e) = k ^ (state after e){x) = I{t){state before e)), 

where we write Ve@i G es. ip as an abbreviation for Ve E es.agent{e) = i => ip. As above, the 
notation above implicitly assumes that before and after are as specified by es. Again, this expres- 
sion is an abbreviation for a formula expressible in Nuprl whose intended meaning should be clear; 
Consistent I {@i if kind = k then x := t, es) holds if there is a constructive proof of the formula. 
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We can use a program of this type to describe a message sent on a link /. For example, 



@i kind = local{a) then msg(/) := f(valj) 

says that for all events e, f{v) is sent on link / if the kind of e is a, the local state of agent i before e is 
Si, and V = Sj(valj). 

The third type of program, @i kind = local{a) only if tp, is called a precondition program. It says 
that an event of kind a can occur only if the precondition tp (which must be an i-formula) is satisfied: 

Consistent I {@i kind = local{a) only if 99, es) =def 
i-formula((p, I) A Ve@i G es. {kind{e) = local{a) =^ I{ip){state before e)). 

Note that we allow conditions of the form kind{e) = local{a) here, not the more general condition of the 
form kind{e) = k allowed in effect programs. We do not allow conditions of the form kind{e) = rcv{l) 
because we assume that receive events are not under the control of the agent. 

Standard formalizations of input-output automata (see [ Lynch and Tuttle 1989) ) typically assume 



that executions satisfy some fairness constraints. We assume here only a weak fairness constraint that 
is captured by the basic program @i if necessarily then i.o. kind = local{a), which we call 
a fairness program. Intuitively, it says that if (/? holds from some point on, then an event with kind 
local{a) will eventually occur. For an event sequence with only finitely many states associated with 
i, we take ip to hold "from some point on" if ip holds at the last state. In particular, this means that 
the program cannot be consistent with an event sequence for which there are only finitely many events 
associated with iif (p holds of the last state associated with i. Define 

Consistent I {@i if necessarily ^p then i.o. kind = local{a), es) =def 
i-formula{ip, I) A 

[{{3e@i € es) A Ve@i G es. 3e' e. I{^ip){state after e') V {kind{e') = local{a))) 
V(-.(3e@i G es) A I{^(p){initstatei))]. 



The last type of basic program, @i only L affects x, is called a frame program. It ensures that 
only events of kinds listed in L can cause changes in the value of variable x. The precise semantics 
depends on whether x has the form msg{l). If x does not have the form msg{l), then 

Consistent J {@i only L affects x,es) =def 
\/e@i G es. ((x after e) / (x before e)^{kind{e) G L)). 

If X has the form msg{l), then we must have source{l) = i. Recall that sending a message m on / is 
formalized by setting the value of msg{l) to m. We assume that messages are never null (i.e., m 7^ 1). 
No messages are sent during event e if msg{l)after e = ±. If a; has the form msg{l), then 

Consistent I {@i only L affects msg(/),es) =def 
Ve@i G es. {{msg{l) after e / l.)^{kind{e) G L)). 

Finally, an event structure es is said to be consistent with a distributed program Pg that is not basic 
if es is consistent with each of the basic programs that form Pg: 

Consistent I {Pgi Pg2,es) =def Consistent j{Pgi,es) A Consistent j{Pg2,es). 
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Definition 2.4: Given an interpretation /, the semantics of a program Pg is the set of event structures 
consistent with Pg under interpretation /. We denote by Si this semantics of programs: Sj{Pg) = {es \ 
Consistent J {Pg, es)}. We write Pg X if Pg satisfies X with respect to interpretation /; that is, if 
X{es) is true for all es G Si{Pg)). I 

Note that 5/ (P5 J © Pg2) = Sj{Pgi ) n ^/(P^g). Since the Consistent/ predicate is definable in NuprI, 
we can formally reason in Nuprl about the semantics of programs. 

A specification is a predicate on event structures. Since our main goal is to derive from a proof that 
a specification X is satisfiable a program that satisfies X, we want to rule out the trivial case where the 
derived program Pg has no executions, so that it vacuously satisfies the specification X. 

Definition 2.5: Program Pg is consistent (with respect to interpretation I) if Si{Pg) 7^ 0. The spec- 
ification X is realizable (with respect to interpretation I) if it is not vacuously satisfied, that is, if 
3Pg.{Pg 1^/ Xf\Si{Pg) / 0). Pg realizes X (with respect to /) if Pg X and Pg is consistent 
(with respect to /). | 

Thus, a specification is realizable if there exists a consistent program that satisfies it, and, given an 
interpretation /, a program is realizable if there exists an event structure consistent with it (with respect 
to I). Since we reason constructively, this means that a program is realizable if we can construct an 
event structure consistent with the program. This requires not only constructing sequences of events, 
one for each agent, but all the other components of the event structure as specified in Definition 12.31 
such as and Act. 

All basic programs other than initialization and fairness programs are vacuously satisfied (with 
respect to every interpretation /) by the empty event structure es consisting of no events. The empty 
event structure is consistent with these basic programs because their semantics in defined in terms of a 
universal quantification over events associated with an agent. It is not hard to see that an initialization 
program @i initially ijj is consistent with respect to interpretation / if and only if -0 is satisfiable 
in I; i.e., there is some global state s such that I{ip){si) holds. For if es is an event structure with 
initstatei = s,, then clearly es realizes @i initially tjj. 

Fair programs are realizable with respect to interpretations I where the precondition ip satisfies the 
principle of excluded middle (that is, ipj Determinate {ip~^) is provable in Nuprl), although they are 
not necessarily realized by a finite event structure. To see this, note that if ip satisfies the principle of 
excluded middle in /, then either there is an /-local state s* for agent i such that I{-'ip){s*) holds, or 
I{ip){si) holds for all /-local states Sj for i. In the former case, consider an empty event structure es with 
domain Valj and initstatei = s*; it is easy to see that es is consistent with @i if necessarily p then 
i.o. kind = local{a). Otherwise, let Act = {a}. Let es be an event structure where Act is the set of 
local actions, Valj is the set of values, the sequence of events associated with agent i in es is infinite, 
and all events associated with agent i have kind local (a). Again, it is easy to see that es is consistent 
with @i if necessarily p then i.o. kind = local{a). 

If p does not satisfy the principle of excluded middle in /, then @i if necessarily p then 
i.o. kind = local (a) may not be realizable with respect to /. For example, this would be the case 
if for example, neither I{p){si) nor I{-ip){si) holds for any local state s,. 

Note that two initialization programs may each be consistent although their composition is not. For 
example, if both and are satisfiable i-formulas, then each of @i initially and @i initially -tip 
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is consistent, although their composition is not. Nevertheless, all programs synthesized in this paper can 
be easily proven consistent. 



2.3.3 Axioms Bickford and Constable II2003II derived from the formal semantics of distributed mes- 
sage automata some Nuprl axioms that turn out to be useful for proving the satisfiability of a specifi- 
cation. We now present (a slight modification of) their axioms. The axioms have the form Pg X, 
where Pg is a program and X is a specification, that is, a predicate on event structures; the axiom is 
sound if all event structures es consistent with program Pg under interpretation / satisfy the specifica- 
tion X. We write to make clear that the program semantics in given with respect to an interpretation 
/. There is an axiom for each type of basic program other than frame programs, two axioms for frame 
programs (corresponding to the two cases in the semantic definition of frame programs), together with 
an axiom characterizing composition and a refinement axiom. 

Ax-init: 

@z initially Xes. i-formula{'ip, I) A I{'ip){initstatei). 

(Note that the right-hand side of \^ is a specification; given an event structure es, it is true if 
i-formula{ip , I) A I{ip){initstatei) holds in event structure es.) 

Ax-cause: 

@i if kind = k then x:=t Xes. i-term{t, I) A Ve@i E es. {kind{e) = k ^ 

(state after e){x) = I[t){state before e)). 

Ax-if: 

@i kind = local{a) only if if Xes. i-formula{Lp,I) A Ve@i g es. {kind{e) = local{a) =^ 

I{ip){state before e)). 

Ax-fair: 

@i if necessarily ip then i.o. kind = local{a) 
Xes. i-formula{(p,I)A 

[{{3e@i G es) A Ve@i G es. 3e' e. I {-^ip){state after e') V {kind{e') = local{a))) 
V(-.(3e@i G es) M{-^(p){initstatei))]. 

Ax-affects: 

@i only L affects x Xes. Ve@z G es. {x after e ^ x before e)^{kind{e) G L). 

Ax-sends: 

@i only L affects msg(/) Xes. Ve@i G es. {msg{l) after e ^ J-)=>{kind{e) G L). 

Ax-e: {Pgi P) A {Pgs Q) ^ (Pgi ® Pg2 P^Q)- 
Ax-ref: {Pg ^/ P) A (P ^ Q) ^ {Pg ^/ Q). 

Lemma 2.6: Axioms Ax-init, Ax-cause, Ax-if, Ax-fair, Ax-affects, Ax-sends, Ax-©, and 
Ax-ref hold for all interpretations I. 

Proof: This is immediate from Definitions 12. 1 1 and 12.41 and the definition of Consistentj. | 
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2.3.4 A general scheme for program synthesis Recall that, given a specification and an interpre- 
tation /, tiie goal is to prove that Lp is satisfiable with respect to /, that is, to show that ^Pg. {Pg |=s/ if) 
holds. We now provide a general scheme for doing this. Consider the following scheme, which we call 

gs: 

1. Find specifications (pi, ip2, ■ ■ ■, fn such that Ves. {<pi{es) A <p2{es) A ... A ipn{es) =^ 'p{es)) is 
true under interpretation /. 

2. Find programs Pgi, Pg2, ■ ■ ■, Pgn such that Pgi ^/ ipi holds for all i G {1, . . . n}. 

3. Conclude that Pg (p, where Pg = Pg^ © Pg2 ... © Pgn- 

Step 1 of QS is proved using the rules and axioms encoded in the Nuprl system; Step 2 is proved 
using the axioms given in Section 12.3.31 It is easy to see that QS is sound in the sense that, if we can 
show using QS that Pg satisfies ip, then Pg does indeed satisfy (/?. We formalize this in the following 
proposition. 

Proposition 2.7: Scheme QS is sound. 
2.4 Example 

As an example of a specification that we use later, consider the run-based specification Fairj{ip, t,l), 
where i 7^ j, / is a link with source{l) = i and dest{l) = j, Lp is an i-formula, and t is an i-term. 
Fairj{ip, t,l) is a. conjunction of a safety condition and a liveness condition. The safety condition 
asserts that if a message is received on link /, then it is the term t interpreted with respect to the local 
state of the sender, and that ip, evaluated with respect to the local state of the sender, holds. The liveness 
condition says that, if (there is a constructive proof that) condition ip is enabled from some point on in 
an infinite event sequence, then eventually a message sent on / is delivered. (Thus, the specification 
imposes a weak fairness requirement.) We define Fairj{ip, t, I) as follows: 

Fairi{ip, t, I) =def Aes. i-formula{Lp, I) A i-term(t, I) 
(Ve' € es. {kind{e') = rcv{l) =^ 

I{ip){state before send{e')) A val{e') = I{t){state before sendee'))) A 
((3e@i G es A Ve@i G es. 3e' e. I{^ip){state after e')) V (-.(3e@i G es) A I{^(p){initstatei)) 

V (3e@i G es A Ve@i G es. 3e' hi e. kind{e') = rcv{l) A send{e') hi e)). 

We are interested in this fairness specification only in settings where communication satisfies a 
(strong) fairness requirement: if infinitely often an agent sends a message on a link I, then infinitely 
often some message is delivered on /. We formalize this assumption using the following specification: 

FairSendil) =def Aes. (Ve@i G es. 3e' >~i e. msg{l) after e' 7^ _L) 

=^ (Ve@i G es. 3e'. kind{e') = rcv{l) A send{e') >-i e). 

We explain below why we need communication to satisfy strong fairness rather than weak fairness 
(which would require only that if a message is sent infinitely often, then a message is eventually deliv- 
ered). 
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For an arbitrary action a, let Fair-Pg{ip, t, I, a) be the following program for agent i: 

@i kind = local[a) only if 93 

@i if kind = local{a) then msg(/): = i 

@z only events in [a] affect msg(/) © 

@i if necessarily 93 then i.o. kind = local{a). 

The first basic program says that i takes action a only if (/? holds. The second basic program says 
that the effect of agent i taking action a is for t to be sent on link /; in other words, a is z's action of 
sending t to agent j. The tliird program ensures that only action a has the effect of sending a message 
to agent j. With this program, if agent j (the receiver) receives a message from agent i (the sender), 
then it must be the case that the value of the message is t and that was true with respect to i's local 
state when it sent the message to j. The last basic program ensures that if Lp holds from some point on 
in an infinite event sequence, then eventually an event of kind a holds; thus, i must send the message t 
infinitely often. The fairness requirement on communication ensures that if an event of kind a where i 
sends t occurs infinitely often, then t is received infinitely often. 

Lemma 2.8: For all actions a, Fair-Pg(ip,t,l,a) satisfies Xes.FairSend{l)(es) ^ Fairj{ip,t,l){es) 
with respect to all interpretations I such that ip is an i-formula and t is an i-term in L 

Proof: We present the key points of the proof here, omitting some details for ease of exposition. We 
follow the scheme QS. We assume that i-fi)rmula{ip, I) and i-term{t, I) both hold. 

Step 1. For each event structure es, Fairj{ip,t,l){es) is equivalent to a conjunction of three for- 
mulas: 

</?i(es) : Ve' G es. {kind{e') = rcv{l)) ^ I{(p){state before send{e')) 
</?2(es) : Ve' G es. {kind{e') = rcv{l)) ^ val{e') = I{t){state before sendee')) 
993 (es) : (3e@i € es A Ve@i G es. 3e' e. I {-^ip){state after e')) V 
(-.(3e@i € es) A I{^(p){initstatei) V 

{3e@i € es A Ve@i G es. 3e'.kind{e') = rcv{l) A send{e') e). 

We want to find formulas ■ipi{es), . . . , ip4:{es) that follow from the four basic programs that make 
up Fair-Pg{(p,t, I, a) and together imply (pi{es) A ip2{es) A ip3{es). It will simplify matters to reason 
directly about the events where a message is sent on link /. We thus assume that, for all events e, agent 
i sends a message on link I during event e iff kind{e) = local{a). This assumption is expressed by: 

V'i(es) =def Ve@z G es. {msg{l) after e 7^ _L) ^ {kind{e) = local{a)). 

It is easy to check that {ipi{es) A ^^2(65)) ^ V3i(es)) is true, where ^"2(65) is 

Ve@i G es. {kind{e) = local(a)) =^ I{ip){state before e). 

Similarly, using the axiom of event structures given in Section [Z2] that says that the value of a receive 
event e on / is the value of msg{l) after send{e), it is easy to check that {ipi{es) A V'3(es)) => ip2{es)) 
is true, where ^3(es) is 

Ve@i G es.{kind{e) = local{a)) =^msg{l) after e = I{t){state before e). 
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We can show that {'({^^{es) A tpi{es) A FairSend{l)) => (psies) is true, where tp^ is 

{3e@i A Ve@i G es. 3e' hi e. I{^ip){state after e')) V 

(-.(3e@i G es) A I{^ip){initstatei)) V 

(3e@i G es A Ve@i G es. 3e' e. kind{e') = local{a)). 

It follows that 

{yes.{ipi (es) A ip2{^s) A ips^es) A V'^ (es)) ^ {FairSend{l){es) =^ Fairj{ip, t, Z)(es))). 
Step 2. By Ax-sends 

@i only [a] affects msg(/) -01- 

By Ax-if , 

@i kind = local{a) only if ^p^i V'2- 

By Ax-cause, 

@i if ^md = local{a) then msg(^):=t V^a! 

and by Ax- fair 

@i if necessarily ip then i.o. kind = local{a) ^4. 

By the soundness of QS (Proposition 12.71 ). Fair-Pg{ip, t, I, a) satisfies \es.FairSend{l){es) =^ 
Fairi{ip, t, l){es) with respect to /. I 



Lemma 2.9: For all interpretations I such that ip is an i-formula and t is an i-term in I, if (p satisfies 
the principle of excluded middle with respect to I, then Fair-Pg('p,t, I, a) is consistent with respect to 
L 

Proof: This argument is almost identical to that showing that fair programs are realizable with respect 
to interpretations where the precondition satisfies the principle of excluded middle. Since Lp satisfies the 
principle of excluded middle with respect to /, either there exists an /-local state s* for agent i such that 
I{-'p){s*) holds, or I{p){si) holds for all /-local states Sj for i. In the former case, let es be an empty 
event structure such that i, j G AG, I G Links, a G Act, and initstatei = s*. In the latter case, choose 
es with AG and Links as above, let Act = {a, b}, and where i and j alternate sending and receiving 
the message t on link /, where these events have kind a and b, respectively. | 



Corollary 2.10: For all interpretations I such that if p is an i-formula and t is an i-term in /, if 
ip satisfies the principle of excluded middle with respect to I, then the specification Fairi{p,t,l) is 
realizable with respect to I. 

Proof: This is immediate from Lemmas 12.81 and 12.91 and from the fact that the event structure con- 
structed in Lemma lZSl satisfies FairSend{l). | 

The notion of strong communication fairness is essential for the results above: Fairi{ip, t, I) may 
not be realizable if we assume that communication satisfies only a weak notion of fairness that says that 
if a message is sent after some point on, then it is eventually received. This is so essentially because 
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our programming language is replacing standard "if condition then take action" programs with weaker 
variants that ensure that, if after some point a condition holds, then eventually some action is taken. 

We now show that the composition of Fair-Pg{(p, t, I, a) and Fair-Pg{ip, t, I', a) for different links 
/ and I' satisfies the corresponding fairness assumptions. 

Lemma 2.11: For all distinct actions a and a', and all distinct links I and I', Fair-Pg{(p, t, I, a) © 
Fair-Pg{Lp' , t', I', a') satisfies 

\es.{FairSend{l){es) A FairSend{l'){es)) =^ 
{Fairi{(f, t, l){es) A Fairi{(p', t' , l'){es)) 

with respect to all interpretations I such that 93 is an i-formula, t is an i-term, ^p' is an i' -formula, and 
t' is an i'-term in L 

Proof: Suppose a ^ a! . We again use scheme QS. 

Step 1. Clearly, we can take Lp\ to be Aes. FairSend{l){es) =^ Fairj{ip,t,l){es) and (p2 to be 
Aes. FairSend{l'){es) =^ Fairf{ip',t',l'){es). 

Step 2. By Lemma [Z8l Fair-Pg{ip,t, I, a) 1=^/ ipi and Fair-Pg{(p' ,t' , I', a') (p2- I 

Finally, we can show that Fair-Pg{ip,t, I, a) © Fair-Pg{ip' ,t' , I', a') is consistent, where / is a link 
from i to j, /' is a link from i' to j', and / 7^ /' (so that we may have i = i' or j = j', but not both), and 
thus the specification \es.{FairSend{l){ es) A FairSend{l'){es)) =^ {Fairj{ip,t,l){es) A Fairj{(p' , 
t' , l'){es)) is reaUzable with respect to /. if both ip and tp' satisfy the principle of excluded middle with 
respect to /. 

Lemma 2.12: For all interpretations I such that ip is an i-formula, t is an i-term, (p' is an i' -formula, 
and t' is an i-term in I, if both cp and pJ satisfy the principle of excluded middle with respect to I, then, 
for all distinct actions a and a' and all distinct links I and I', Fair-Pg{ip,t, I, a) © Fair-Pg{<p' ,t' , I', a') 
is consistent with respect to L 

Proof: If I{-'^p A -i(^)(s) holds for some global state s, then let es be the empty event structure 
such that initstatci = Si and initstatei/ = Sj/. Clearly es is consistent with Fair-Pg{ip,t,l,a) © 
Fair-Pg{ip',t',l',a'). Otherwise, let es be an event structure with domain Valj, € AG, 

and /,/' G Links, consisting of an infinite sequence of states such that if I{ip) holds for infinitely 
many states, then i sends t on link I infinitely often; if I{ip') holds for infinitely many states, then i' 
sends t' on link /' infinitely often; if t is sent on / infinitely often, then j receives it on link / infinitely 
often; and if t' is sent on I' infinitely often, then / receives it on I' infinitely often. It is straight- 
forward to construct such an event structure es. Again, it should be clear that es is consistent with 
Fair-Pg{(p,t, I, a) © Fair-Pg{(p' ,t' , I', a'). | 

3 Adding knowledge to Nuprl 

We now show how knowledge-based programs can be introduced into Nuprl. 
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3.1 Consistent cut semantics for knowledge 

We want to extend basic programs to allow for tests that involve knowledge. For simplicity, we take 
AG = {1,2, ... , n}. As before, we start with a finite set P U of predicates and functions, and close 
off under conjunction, negation, and quantification over non-local variables; but now, in addition, we 
also close off under application of the temporal operators □ and 0, and the epistemic operators Ki, 
i = I, . . . ,n, one for each process i. 

We again want to define a consistency relation in Nuprl for each program. To do that, we first 
need to review the semantics of knowledge. Typically, semantics for knowledge is given with respect 
to a pair (r, m) consisting of a run r and a time m, assumed to be the time on some external global 



clock (that none of the processes necessarily has access to pFagin, Halpem, Moses, and Vardi 1995 1). In 



event structures, there is no external notion of time. Fortunately, Panangaden and Taylor 1119921 give a 
variant of the standard definition with respect to what they call asynchronous runs, which are essentially 
identical to event structures. We just apply their definition in our framework. 

The truth of formulas is defined relative to a pair {Sys, c), consisting of a system Sys (i.e., a a set of 
event structures) and a consistent cut a of some event structure es G Sys, where a consistent cut a in es 
is a set of events in es closed under the causality relation. Recall from Section |2!2] that this amounts to 
c satisfying the constraint that, if e' is an event in c and e is an event in es that precedes e' (i.e., e -< e'), 
then e is also in c. We write c G Sys if c is a consistent cut in some event structure in Sys. 

Traditionally, a knowledge formula Knp is interpreted as true at a point (r, m) if 99 is true regard- 
less of i's uncertainty about the whole system at (r, m). Since we interpret formulas relative to a pair 
{Sys, c), we need to make precise i's uncertainty at such a pair. For the purposes of this paper, we 
assume that each agent keeps track of all the events that have occurred and involved him (which cor- 
responds to the assumption that agents have perfect recall); we formalize this assumption below. Even 
in this setting, agents can be uncertain about what events have occurred in the system, and about their 
relative order. Consider, for example, the scenario in the left panel of Figure [H agent i receives a mes- 
sage from agent j (event 62), then sends a message to agent k (63), then receives a second message from 
agent j (eg), and then performs an internal action (ey). Agent i knows that send{e2) occurred prior to 62 
and that send{eQ) occurred prior to eg. However, i considers possible that after receiving his message, 
agent k sent a message to j which was received by j before e^ (see the right panel of Figure [TJ. 




In general, as argued by Panangaden and Taylor, agent i considers possible any consistent cut in 
which he has recorded the same sequence of events. To formalize this intuition, we define equivalence 
relations ~i, i = 1, . . . , n, on consistent cuts by taking c ~i c' if i's history is the same in c and c'. 
Given two consistent cuts c and c', we say that c ^ c' if, for each process i, process i's history in c is 
a prefix of process i's history in cf. Relative to {Sys, c), agent i considers possible any consistent cut 
c' G Sys such that c' c. 

Since the semantics of knowledge given here implicitly assumes that agents have perfect recall, we 
restrict to event structures that also satisfy this assumption. So, for the remainder of this paper, we 
restrict to systems where local states encode histories, that is, we restrict to systems Sys such that, for 
all event structures es, es' G Sys, if e is an event in es, e' is an event in es' , agent{e) = agent{e') = i, 
and state before e = state before e! , then i has the same history in both es and es' . For simplicity, 
we guarantee this by assuming that each agent % has a local variable history^ G Xi that encodes its 
history. Thus, we take mitstatei{historyi) = _L and for all events e associated with agent i, we have 
(s after e){historyi) = (s before e) (historyi) ■ e. It immediately follows that in two global states where 
i has the same local state, i must have the same history. Let System be the set of all such systems. 

Recall that events associated with the same agent are totally ordered. This means that we can 
associate with every consistent cut c a global state s"^: for each agent i, is i's local state after the last 
event associated with z in c occurs. Since local states encode histories, it follows that if s? = s? , then 

c ~j c'. It is not difficult to see that the converse is also true; that is, if c '-^i c', then = . We also 
write s'^ ~< s"^ if c ~< c'. In the following, we assume that all global states in a system Sys have the form 
s"^ for some consistent cut c. 

NuprI is rich enough that epistemic and modal operators can be defined within Nuprl. Thus, to 
interpret formulas with epistemic operators and temporal operators, we just translate them to formulas 
that do not mention them. Since the truth of an epistemic formula depends not just on a global state, but 
on a pair {Sys, c), where the consistent cut c can be identified with a global state in some event structure 
in Sys, the translated formulas will need to include variables that, intuitively, range over systems and 
global states. To make this precise, we expand the language so that it includes rigid binary predicates 
CC and ^, a rigid binary function Is, and rigid constants s and Sys. Intuitively, s represents a global 
state, Sys represents a system, CC{x,y) holds if y is a consistent cut (i.e., global state) in system x, 
ls{x, i) is i's local state in global state x, and y represents the ordering on consistent cuts defined above. 

For every formula that does not mention modal operators, we take = ip. We define 

{Ki^f =def Vs'((CC(Sys,s') Als(s',i) = ls(s,i)) ^ (^*[s/s'])), 
{U^f =def Vs'((CC(Sys, s') A s' ^ s (^*[s/s']), 

and 

(❖^)* =def 3s'((CC(Sys, s') A s' ^ s A <^*[s/s']). 

Given an interpretation /, let /' be the interpretation that extends I by adding to ipi formulas charac- 
terizing Sys, s, CC, Is, and y appropriately. That is, the formulas force Sys to represent a set of event 
structures, s to be a consistent cut in one of these event structures, and so on. These formulas are all 
expressible in Nuprl. More specifically, we restrict here to constructive systems, that is, systems that can 
be defined in Nuprl. A constructive system Sys can be characterized by a formula tpsys in Nuprl. tpsys 
has a free variable Sys ranging over systems such that tpsys holds under interpretation /' and valuation 
V iff F(Sys) = Sys. We now define a predicate Iy{(p) on systems and global states by simply taking 
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I'y{ip){Sys , s) to hold iff together with the conjunction of atomic formulas of the form x = V{x) 
for all non-local variables x that appear in (/?, x = Si{x) for variables x € Xi, i ^ AG, that appear in ip, 
s = s, and ^psys, imply (93*)^ (where, in going from to (v^*)"*", we continue to use the s). Thus, we 
basically reduce a modal formula to a non-modal formula, and evaluate it in system Sys using ly- 

Just as in the case of non-epistemic formulas, the valuation V is not needed to interpret formulas 
whose only free variables are in Ui^AcXi. For such formulas, we typically write I'{ip){Sys, s) instead 
of Iy{ip){Sys, s). We can also define i-formulas and i-terms, but now whether a formula is an i-formula 
or a term is an z-term depends, not only on the interpretation, but on the system. A formula (p is an i- 
formula in interpretation I' and system Sys if, for all states s, s' in Sys, Iy{ip){Sys, s) = Iy{ip){Sys, s') 
if Si = s'^, similarly, t is an i-term in interpretation I' and system Sys if Iy{t){Sys, s) = Iy(t){Sys, s') 
if Si = s^. We write this as i-formula{(p, I, Sys) and i-term{t, I, Sys), respectively. If ip is an i- 
formula and t is an i-term in / and Sys for all systems Sys, then we simply write i-formula{ip , I) and 
i-formula{t, I). For an i-formula, we often write Iy{ip){Sys , Si) rather than Iy{ip){Sys , s). Note that a 
Boolean combination of epistemic formulas whose outermost knowledge operators are Ki is guaranteed 
to be an i-formula in every interpretation, as is a formula that has no nonrigid functions or predicates 
and does not mention Kj for j ^ i. The former claim is immediate from the following lemma. 

Lemma 3.1: For all formulas (p, systems Sys, and global states s and s', if Si = s[, then I'(Knp){Sys, s) 
holds iff I'{Knp){Sys, s') does. 

Proof: Follows from the observation that if we have a proof in Nuprl that an i-formula holds given /', 
Sys, and s G Sys, then we can rewrite the proof so that it mentions only Sj rather than s. Thus, we 
actually have a proof that the i-formula holds in all stats s' G Sys such that = Sj. I 

3.2 Knowledge-based programs and specifications 

In this section, we show how we can extend the notions of program and specification presented in Sec- 
tion [2]to knowledge-based programs and specifications. This allows us to employ the large body of tac- 
tics and libraries already developed in Nuprl to synthesize knowledge-based programs from knowledge- 
based specifications. 

3.2.1 Syntax and semantics Define knowledge-based message automata just as we defined mes- 
sage automata in Section 12.31 except that we now allow arbitrary epistemic formulas in tests. If we 
want to emphasize that the tests can involve knowledge, we talk about knowledge-based initialization, 
precondition, effect, and fairness programs. For the purposes of this paper, we take knowledge-based 
programs to be knowledge-based message automata. 

We give semantics to knowledge-based programs by first associating with each knowledge-based 
program a function from systems to systems. Let {Pg^^Y be the result of replacing every formula ip in 
Pg^^ by ipK Note that {Pg^^Y is a standard program, with no modal formulas. Given an interpretation 
/ and a system Sys let I{Sys) be the result of adding to ipj the formula psys- 

Now we can apply the semantics of Section 12.3.21 and get the system Si(^sys){{P9^^y)- Iri gcri" 
eral, the system Sj(^sys){{P9''''Y) will be different from the system Sys. A system Sys represents a 
knowledge-based program Pg^^ (with respect to interpretation I) if it is a fixed point of this mapping; 
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that is, if S^sys)i{P9''''Y) = Sys. Following Fagin et al. |[T995l [T9971 . we take the semantics of a 
knowledge-based program Pg'^'' to be the set of systems that represent it. 

Definition 3.2: A knowledge-based program semantics is a function associating with a knowledge- 
based program Pg*^^ and an interpretation I the systems that represent Pg'''' with respect to /; that is, 
SfW) = {Sys e System \ S^sys){{Pg'"'Y) = Sys}. I 

As observed by Fagin et al. II1995I I1997II . it is possible to construct knowledge-based programs 
that are represented by no systems, exactly one system, or more than one system. However, there 
exist conditions (which are often satisfied in practice) that guarantee that a knowledge-based program 
is represented by exactly one system. Note that, in particular, standard programs, when viewed as 
knowledge-based programs, are represented by a unique system; indeed, S^^{Pg) = {Sj{Pg)}. Thus, 
we can view Sj'' as extending Sj. 

A (standard) program Pg implements the knowledge-based program Pg'^'^ with respect to interpre- 
tation / if Si{Pg) represents Pg'''' with respect to /, that is, if Sj(^Si(Pg)){{P9''''Y) = Si{Pg). In other 
words, by interpreting the tests in Pg'^'' with respect to the system generated by Pg, we get back the 
program Pg. 



3.2.2 Knowledge-based specifications Recall that a standard specification is a predicate on event 



structures. Following [Fagin, Halpem, Moses, and Vardi 1997 1, we take a knowledge-based specifica 



tion (kb specification from now on) to be a predicate on systems. 

Definition 3.3: A knowledge-based specification is a predicate on System. A knowledge-based pro- 
gram Pg'''' satisfies a knowledge-based specification Y'''' with respect to /, written Pg'''' F^^, if 
all the systems representing Pg'''' with respect to / satisfy Y'''', that is, if the following formula holds: 
ySys G Sf''{Pg''''). Y''''{Sys). The knowledge-based specification Y'''' is realizable with respect to / 
if there exists a (standard) program Pg such that Si{Pg) / and Pg 'pij Y'''' (i.e., Y''''{Si{Pg)) is 
true). I 

As for standard basic programs, it is not difficult to show that knowledge-based precondition, effect, 
and frame programs are trivially consistent: we simply take Sys to consist of only one event structure es 
with no events. A knowledge-based initialization program is realizable iff ifj A ^/^* is satisfiable. Finding 
sufficient conditions for fair knowledge-based programs to be realizable is nontrivial. We cannot directly 
translate the constructions sketched for the standard case to the knowledge-based case because, at each 
step in the construction (when an event structure has been only partially constructed), we would have 
to argue that a certain knowledge-based fact holds when interpreted with respect to an entire system 
and an entire event structure. However, in the next section, the knowledge-based programs used in the 
argument for STP (which do include fairness requirements) are shown to be realizable. 



3.2.3 Axioms We now consider the extent to which we can generalize the axioms characterizing 
(standard) programs presented in Section 123] to knowledge-based programs. 

Basic knowledge-based message automata other than knowledge-based precondition and fairness 
requirement programs satisfy analogous axioms to their standard counterparts. The only difference is 
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that now we view the specifications as functions on systems, not on event structures. For exampie, the 
axiom corresponding to Ax-init is 

Ax-initK : @i initially XSys. i-formula{ip, I , Sys) A Ves E Sys. I{ip){Sys, initstatei). 

(Note that here, just as in the definition of Ax-init, for simplicity, we write initstatei instead of 
es.initstatei. Since ip is constrained to be an i-formula in makes sense to talk about I{ip){Sys, initstatei) 
instead of I{tlj){Sys, s) for a global state s with s,; = initstatei.) The knowledge-based analogues 
of axioms Ax-cause, Ax-afTects, and Ax-sends are denoted Ax-causeK, Ax-afTectsK, and 
Ax-sendsK, respectively, and are identical to the standard versions of these axioms. The knowledge- 
based counterparts of Ax-if and Ax-fair now involve epistemic preconditions, which are interpreted 
with respect to a system: 

Ax-ifK : @i kind = local[a) only if ip XSys. i-formula{(p, I, Sys) A 

yes G Sys. Ve@i € es. {kind{e) = local{a)) =^ I{ip){Sys, state before e) 

Ax-fairK : @i if necessarily ip then i.o. kind = local{a) XSys. i-formula{ip, I , Sys) A 
yes G Sys. {{3e@i e es A Ve@z G es. 3e' hi e. 

I{^ip){Sys, state after e') V kind{e') = local{a))\/ 
(-i(3e@i G es) A I{^ip){Sys, initstatei{es)))). 

There are also obvious analogues axioms Ax-ref and Ax-0, which we denote Ax-refK and 
Ax- © K respectively. 

Lemma 3.4: Axioms Ax-initK, Ax-causeK, Ax-affectsK, Ax-sendsK, Ax-ifK, Ax-fairK, 
and Ax-refK hold for all interpretations I. 

Proof: Since the proofs for all axioms are similar in spirit, we prove only that Ax-ifK holds for all 
interpretations /'. Fix an interpretation /. Let Pg^^ be the program @i kind = local{a) only if ip, 
where p is an i-formula. Let Y^^ be an instance of Ax-ifK: 

XSys. i-formula{{p, I, Sys)A'\/es G Sys.ye@i G es. {kind{e) = local{a)) I {ip) {Sys, state before e). 

By Definition |331 Pg'''' ^/ F^'' is true if and only if, for all systems Sys G Sf{Pg^^), Y^^{Sys) 
holds. That is, for all systems Sys such that Sj(^sys){{P9''''Y) = Sys, the following holds: 

Ves G Sys. i-formula{ip, I, Sys) A \le@i G es. {kind{e) = local{a)) =^ I{ip){Sys, state before e). 

Let Sys be a system such that Sj(^gyg^{{Pg''^y) = Sys. By Definition 12.41 all event structures in Sys 
are consistent with the program {Pg^^)* with respect to interpretation I{Sys). Recall that {Pg^^Y is 
the (standard) program @i kind = local{a) only if where I{Sys){ip*^){s) = I{ip){Sys, s). We can 
thus apply axiom Ax-if and conclude that the following holds for all event structures es consistent with 
I{Sys){{Pg^^y) with respect to I{Sys) (i.e., for all es G Sys): 

i-formula{ip^ , I {Sys)) A Ve@z G es. {kind{e) = local{a)) =^ I {Sys) {(p*) {state before e). 

The first conjunct says that, for all global states s and s' in Sys, if Si = s[ then I{Sys){ip^){s) = 
I{Sys){ip*'){s'), which is equivalent to saying that I{ip){Sys, s) = I{ip){Sys, s'), that is, i-formula{ip, I, Sys) 
holds. The second conjunct is equivalent to 

\/e@ies. {kind{e) = local{a)) =^ I {ip) {Sys, state before e). 
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by the definition of 99* and I{Sys). Thus, Y^^{Sys) holds under interpretation /. | 



The proof of Lemma 13.41 involves only unwinding the definition of satisfiability for knowledge- 
based specifications and the application of simple refinement rules, already implemented in Nuprl. In 
general, proofs of epistemic formulas will also involve reasoning in the logic of knowledge. Sound 
and complete axiomatizations of (nonintuitionistic) first-order logic of knowledge are well-known (see 



[Fagin, Halpem, Moses, and Vardi 1995 1 for an overview) and can be formalized in Nuprl in a straight- 
forward way. This is encouraging, since it supports the hope that Nuprl's inference mechanism is pow- 
erful enough to deal with knowledge specifications, without further essential additions. 

Note that Ax-©K is not included in Lemma 13.41 That is because it does not always hold, as the 
following example shows. 

Example 3.5: Let Y^^ =def \I\{-^K2-i{xi = i)) for i = 1, 2, where Xi G Xi, and let 1 = 0. Let Pgi, 
i = 1, 2 be the standard program for agent i such that Si{Pgi) consists of all the event structures such 
that Xi = i at all times; that is, Pg^ is the program 

@i initially Xj = i © @i only affects Xj. 

Since Pg^ places no constraints on X2~i, is straightforward to prove that Pgi 1=^/ Y-z-v ^'^^ i = 1,2. On 
the other hand, Sj{Pgi © Pgz) consists of all the event structures where Xi = iat all times, for i = 1,2, 
so Pgi © P52 N/ -'Yi'' A --Yi^ I 



3.3 Example 

Recall from Section [Z41 that the specification FairSend{l) =^ Fairj{ip, t, I) is satisfied by the program 
Fair-Pg{ip,t, I, a), for all actions a. We now consider a knowledge-based version of this specification. 
If (/5 is an i-knowledge-based formula and t is an i-term in /, define 

Fairf{ip,t,l) =def XSys.Ves G Sys. Fairj^sys)iV'\tJ){es), 

that is 

Fairf{ip,t,l) =def 

\Sys.i-formula{ip, I, Sys) A i-term(t, I, Sys)A 
Ves G Sys.{(ye' G es. {kind{e') = rcv{l)) =^ 

I{ip){Sys, state before send{e')) A val{e') = I{t){Sys, state before send{e'))) 
A((3e@z G es A Ve@z G es. 3e' hi e. I{^ip){Sys, state after e'))V 
{3e@i £ es A Ve@i G es. 3e'. kind{e') = rcv{l) A send{e') hi e)V 
(-i(3e@z G es) A I{^(p){Sys,initstatei))). 

For example, Fairf'{Ki(p, t, I) says that every message received on / is given by the term t interpreted 
at the local state of the sender i, and that i must have known fact if when it sent this message on I; 
furthermore, if from some point on i knows that (/? holds, then eventually a message is received on /. 

As in Section I24I we assume that message communication satisfies a strong fairness condition. The 
knowledge-based version of the condition FairSend{l) simply associates with each system Sys the 
specification FairSend{l); that is, FairSend^^ {I) is just XSys. Ves G S ys. Fair S end {l){es). 
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Lemma 3.6: For all interpretations I such that is an i-formula and t is an i-term in I, and all actions 
a, we have that 

Fair-Pg{ip,t,l,a) FairSend^\l) Fairf{ip,t,l). 

The proof is similar in spirit to that of Lemma [l!4l by supplying a system Sys as an argument to the 
specification, we essentially reduce to the situation in Lemma |Z81 We leave details to the reader. 

We can also prove the following analogue of Lemma [2.1 II 

Lemma 3.7: For all interpretations I such that ip is an i-formula, ip' is a j-formula, t is an i-term, and 
t' is a j-term in I, all distinct links I and I', and all distinct actions a and a', we have that 

Fair-Pg{ip,t, I, a) Fair-Pg{(p' ,t' , 1' , a') [^i 

{FairSend^\l) A FairSend'^^l')) =^ {Fairf{^,t,l) A Fairf{ip' ,t' ,1')). 

4 The sequence transmission problem (STP) 

In this section, we give a more detailed example of how a program satisfying a knowledge-based speci- 
fication X can be extracted from X using the Nuprl system. We do the extraction in two stages. In the 
first stage, we use Nuprl to prove that the specification is satisfiable. The proof proceeds by refinement: 
at each step, a rule or tactic (i.e., a sequence of rules invoked under a single name) is applied, and new 
subgoals are generated; when there are no more subgoals to be proved, the proof is complete. The proof 
is automated, in the sense that subgoals are generated by the system upon tactic invocation. From the 
proof, we can extract a knowledge-based program Pg'^^ that satisfies the specification. In the second 
stage, we find standard programs that implement Pg^^. This two-stage process has several advantages: 

• A proof carried out to derive Pg'^'' does not rely on particular assumptions about how knowl- 
edge is gained. Thus, it is potentially more intuitive and elegant than a proof based on certain 
implementation assumptions. 

• By definition, if Pg'^'' satisfies a specification, then so do all its implementations. 

• This methodology gives us a general technique for deriving standard programs that implement the 
knowledge-based program, by finding weaker (non-knowledge-based) predicates that imply the 
knowledge preconditions in Pg'^''. 

We illustrate this methodology by applying it to one of the problems that has received considerable 
attention in the context of knowledge-based programming, the sequence transmission problem (STP). 

4.1 Synthesizing a knowledge-based program for STP 

The STP involves a sender S that has an input tape with a (possibly infinite) sequence X = X{0), X{1), . 
of bits, and wants to transmit X to a receiver R; R must write this sequence on an output tape Y . (Here 
we assume that X{n) is a bit only for simplicity; our analysis of the STP does not essentially change 
once we allow X{n) to be an element of an arbitrary constructive domain.) A solution to the STP must 
satisfy two conditions: 

1. (safety): at all times, the sequence Y of bits written by i? is a prefix of X, and 
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2. (liveness): every bit X{n) is eventually written by R on the output tape. 



Halpem and Zuck HI 99211 give two knowledge-based programs that solve the STP, and show that a 
number of standard programs in the literature, like Stenning's II1976II protocol, the alternating bit proto- 
col II1969I . and Aho, UUman and Yannakakis's algorithms II19821I . are all particular instances of these 
programs. 

If messages cannot be lost, duplicated, reordered, or corrupted, then S could simply send the bits in 
X to in order. However, we are interested in solutions to the STP in contexts where communication 
is not reliable. It is easy to see that if undetectable corruption is allowed, then the STP is not solvable. 
Neither is it solvable if all messages can be lost. Thus, following [ Halpem and Zuck 1992) , we assume 



(a) that all corruptions are detectable and (b) a strong fairness condition: for any given link I, if infinitely 
often a message is sent on /, then infinitely often some message is delivered on /. We formalize strong 
fairness by restricting to systems where FairSend{l) holds for all links 1. 

The safety and liveness conditions for STP are run-based specifications. As argued by Fagin et 
al. HI 9971 . it is often better to think in terms of knowledge-based specifications for this problem. The 
real goal of the STP is to get the receiver to know the bits. Writing Kji{X{n)) as an abbreviation for 
KR{X{n) = 0) V KR{X{n) = 1), we really want to satisfy the knowledge-based specification 

=dcf Vn (>KR{X{n)). 

This is the specification we now synthesize. 

Since we are assuming fairness, S can ensure that R learns the nth bit by sending it sufficiently 
often. Thus, S can ensure that R learns the n*^ bit if, infinitely often, either S sends X{n) or S knows 
that R knows X{n). (Note that once S knows that R knows X{n), S will continue to know this, since 
local states encode histories.) We can enforce this by using an appropriate instantiation of Fair^^. 

Let cs be a (nonrigid) constant that, intuitively, represents the smallest n such that S does not know 
that R knows X{n), if such an n exists. That is, we want the following formula to be true: 

Vn. VA; < n. KsKR{X{k)) A -^KsKR{X{n)) ^ n = cg. 

Let !fs be the knowledge-based formula that holds at a consistent cut c if and only if there exists a 
smallest n such that, at c, S does not know that R knows X{n): 

ips =def 3n. VA: < n. KsKR{X{k)) A -^KsKR{X{n)). 

Let ts be the term {cs, X(c5))0 Let Isr denote the communication link from S to R. Now consider the 
knowledge-based specification Fairf'{(ps, ts, Isr)- Fairj^{(ps, ts, Isr) holds in a system Sys if, (1) 
whenever R receives a message from S, the message is a pair of the form (n, X(n)); (2) at the time S 
sent this message to R, S knew that R knew the first n elements in the sequence X, but S did not know 
whether R knew X(n); and (3) R is guaranteed to either eventually receive the message {n,X{n)) or 
eventually know X{n). 

How does the sender learn which bits the receiver knows? One possibility is for S to receive from 
R a request to send X{n). This can be taken by 5 to be a signal that R knows all the preceding bits. We 
can ensure that 5 gets this information by again using an appropriate instantiation of Fair^^ . Define cr 



'*We are implicitly assuming here that the pairing function that maps x and y\o{x, y) is in the language. 
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be a (nonrigid) constant that, intuitively, represents the smallest n such that R does not know X{n), if 
such an n exists. In other words, we want the following formula to be true: 

Vn. VA: < n. KR{X{k)) A -^KR{X{n)) ^ n = cr. 

We take ip r to be the knowledge-based formula 

^R =def 3n. VA: < n. KR{X{k)) A -K^j(X(n)), 

which says that there exists a smallest n such that R does not know X{n) (or, equivalently, such that 
cr = n holds). Finally, let Irs denote the communication link from R to S. Fair^^{^pR,tR,lRs) 
implies that whenever S receives a message n from R, it is the case that, at the time R sent this message, 
R knew the first n elements of X, but not X{n). Note that, for all n, S is guaranteed to eventually 
receive a message n unless R eventually knows X{n). 

We can now use the system to verify our informal claim that we have refined the initial specification 
(p'l^p. That is, the system can prove 

{Fairf{ips, ts, Isr) A Fairf{ipR,CR, Irs)A 
(Vn. yk < n. KsKR{X{k)) A ^KsKR{X{n)) ^n = cs)A 
(Vn. yk < n. KR{X{k)) A ^KR{X{n)) ^n = cr)) ^ 

No new techniques are needed for this proof: we simply unwind the definitions of the semantics of 
knowledge formulas and of the fairness specifications, and proceed with a standard proof by induction 
on the smallest n such that R does not know X{n). 

It follows from Lemma |3^ that Fairf''{ips, ts, Isr) A Fairf''{ipR,CR, Irs) is satisfied by the com- 
bination of two simple knowledge-based programs, assuming that message communication on links Isr 
and Irs satisfies the strong fairness conditions FairSend^^{lsR) and Fair Send^^ (Irs). That is, for any 
two distinct actions as and aR, the following is true: 

Fair-Pg{ips, ts, Isr, as) Fair-Pg{ipR,CR, Irs, ur) ^/ 

(FairSend'^'ilsR) A Fair Send''' (Irs)) ^Fairf^ips, ts, Isr) A Fairf{ipR,CR, Irs)). 

As explained in Section l2!4l FairSend''' {Isr) A FairSend'^' (Irs) says that if infinitely often a message 
is sent on Isr then infinitely often a message is received on Isr, and, similarly, if infinitely often a 
message is sent on Irs then infinitely often a message is received on Irs; as mentioned at the beginning 
of this section, we restrict to systems where these conditions are met. Furthermore, it is not difficult to 
show that we can use simple initialization clauses to guarantee that the constraints on the interpretation 
of cs and cr are satisfied: 

@S initially □ (Vn. VA; < n. KsKR{X{k)) A -^KsKR{X{n)) ^ n = cs) 
Vn. VA < n. KsKR{X{k)) A -^KsKR{X{n)) ^n = cs, 

@R initially □ (Vn. VA: < n. KR{X{k)) A ^KR{X{n)) ^ n = cr) ^/ 
Vn. VA < n. KR{X{k)) A ^KR{X{n)) ^ n = cr. 
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Thus, Pgf{<fs, ts, IsR, as) Pg^\ipR,CR, Irs, ftfi)) N/ Vstr where 

Pgfi'PS, ts, IsR, as) =def Fair-Pg{ips, ts, kn, as)® 

@S initially □ (Vn. VA; < n. KsKR{X{k)) A ^KsKR{X{n)) ^ n = cs), 

P9Ri^R,CR, Irs, ftfi)) =def Fair-Pg{ipR,CR,lRs,aR)® 

@R initially □ (Vn. VA; < n. KR{X{k)) A -^KR[X{n)) ^n = cr). 

From the definition of Fair-Pg{(pR, cr, Irs, qr) in Section [331 it follows that Pgg^{ips,ts, IsR, as) is 
the following composition: 

@S initially □ (Vn. VA; < n. KsKR{X(k)) A ^KsKR{X{n)) ^ n = 05)0 
@S kind = local{as) only if 3n. (VA; < n. KsKR{X{k))) A ^ir5irfl(X(n)) 
@S if A;in(i = local[as) then msg(/5/{) :=ts © 
@S only events in [05] affects msg,{lsR)® 

@S if necessarily 3n. (VA; < n. KsKR{X{k))) A -^KsKR{X{n)) then i.o. A;in(i = local{as). 

Using the program notation of Fagin et al. II1995II . Pg^P{ips, ts, ^SR, as) is essentially semantically 
equivalent to the following collection of programs, one for each value n: 

if Ks{KrX{0) a ... a KRX{n - 1)) A ^KsKRX{n) then send;g^((n, X(n))) else skip. 

In both of these programs, S takes the same action under the same circumstances, and with the same 
effects on its local state. That is, given a run r (i.e., a sequence of global states) consistent with 
the collection of knowledge-based programs, we can construct an event structure es consistent with 
Pgg^{ips, ts, IsR, as) such that the sequence of local states of S in es, with stuttering eliminated, is 
the same as in r. The converse is also true. More precisely, in a run r consistent with the collection 
of knoweldge-based programs, at each point of time, either S knows that R knows the value of X{n) 
for all n, or there exists a smallest n such that -^KsKR{X{n)) holds. In the first case, 5 does nothing, 
while in the second case S sends (n, X{n)) on Isr. Similarly, in an event structure es consistent with 
Pgg^{(ps, ts, IsR, as), if S knows that R knows X{n) for all n, then S does nothing; if not, then it is 
impossible for S to know that R knows the first n bits, but never know that R knows X{n), without 
eventually S taking an as action with value (n, X{n)). This means that for each run r consistent with 
the collection of knowledge-based programs, the event structure es in which S starts from the same 
initial state as in r and performs action as as soon as it is enabled has the same sequence of local states 
of S as r. For each event structure es consistent with Pgg''{ips, ts, IsR, as), in the run r of global states 
in es with stuttering eliminated, S takes action as as soon as enabled; subsequently, r is consistent with 
the collection of knowledge-based programs. 

Similarly, PgR{^R,CR, Irs, aR) is essentially semantically equivalent to the following collection 
of programs, one for each value n: 

if KRX{<d) A A KRX{n - 1) A ^KRX{n) then sendij^g{n) else skip. 

Thus, the derived program is essentially one of the knowledge-based programs considered by Halpern 
and Zuck [1992|. This is not surprising, since our derivation followed much the same reasoning as 
that of Halpern and Zuck. However, note that we did not first give a knowledge-based program and then 



26 



verify that it satisfied the specification. Rather, we derived the knowledge-based programs for the sender 
and receiver from the proof that the specification was satisfiable. And, while Nuprl required "hints" in 
terms of what to prove, the key ingredients of the proof, namely, the specification Fairf^{ip, t, I) and the 
proof that Fair-Pg{ip, t, I, a) realizes it, were already in the system, having been used in other contexts. 
Thus, this suggests that we may be able to apply similar techniques to derive programs satisfying other 
specifications in communication systems with only weak fairness guarantees. 

4.2 Synthesis of standard programs for STP 

This takes care of the first stage of the synthesis process. We now want to find a standard program that 
implements the knowledge-based program. As discussed by Halpern and Zuck fl9921, the exact stan- 
dard program that we use depends on the underlying assumptions about the communications systems. 
Here we sketch an approach to finding such a standard program. 

The first step is to identify the exact properties of knowledge that are needed for the proof. This 
can be done by inspecting the proof to see which properties of the knowledge operators Ks and Kji are 
used. The idea is then to replace formulas involving the knowledge operators by standard (non-epistemic 
formulas) which have the relevant properties. 

Suppose that ipg^ is a formula that mentions the function X, has a free variable m, and is guaranteed 
to be an S'-formula in all interpretations I and systems Sys. (Recall that, as noted just before Lemma lTTl 
there are simple syntactic conditions that guarantee that a formula is an i-formula for all / and Sys.) 
Roughly speaking, we can think of ipg^ as corresponding to KsKji{X{m)). Let ipg^ be an abbreviation 
of 

3n. i{yk < n. ^f[m/k]) A -^ipf[m/n]). 

Similarly, suppose that (p^ is a formula that mentions X, has a free variable m, and is guaranteed to be 
an ii-formula in all interpretations /; let ip'^ be an abbreviation of 

3n. {{yk < n. ipRim/k]) A ^p''j^[m/n]). 

Thus, </?|,* and ip'^ are the analogues of ps and pji in Section |4TT] While ips is a formula that says that 
there is a least n such that KsKjiX{n) does not hold, says that there is a least n such that Pg^{n) 
does not hold. Similarly, while p^ says that there is a least n such that KjiX{n) does not hold, p^ 
says that there is a least n such that p^ (n) does not hold. 

We also use we use constants cg, and that are analogues to C5, cji; (p^g plays the same role in 
the definition of cg as KsKji{X{m)) played in the definition of C5, and p^ plays the same role in 
the definition of as Kji{X{m)) played in the definition of cr. Thus, we take 65 to be a constant 
that represents the least n such that pg^[m/n] does not hold (that is, we want 3n.\/k < n. p^^[m/k\ A 
-i(^|''[m/n] ^ (n = 65) to be true), and define 1$ as the pair {cs,X{cs)), Similarly, we take cr to 
be a constant that represents the least n such that p^^[m/n\ does not hold (that is, we want 3n. Vfc < 
n. ip'^[m/k] A -'ip'^[m/n\ => [n = cr) to be true). 

Let p'^tpi^Pn) be the specification that results by using (p'l^ instead of in p'^^^: 

^sU^r) =defVn. Op'i^[m/n]. 

We prove the goal p^tpi'^'ii) refinement: at each step, a rule (or tactic) of Nuprl is applied, and a 
number of subgoals (typically easier to prove) are generated; the rule gives a mechanism of constructing 
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a proof of the goal from proofs of the subgoals. Some of the subgoals cannot be further refined in an 
obvious manner; this is the case, for example, for the simple conditions on ip'g or 99^''. The new theorem 
states that, under suitable conditions on ipg' and (p'l^, 'Pgtpi'PR) satisfiable if both Fairf^ {(p'g , is, Isr) 
and Fairj^{ip'^,CR, Irs) are satisfiable. 

We now explain the conditions placed on the predicates cpg' and (^^*. One condition is that ip^ be 
stable, that is, once true, it stays true: 

Stahle{ip^^) =def \Sys. Ves G Sys. \/eR@R e es. Vn. I{'f>^^[m/n\){Sys, state before en) ^ 
I{(p^[m/'n]){Sys, state after en). 

Assuming Stahle{ip'^^) allows us to prove ip^^ by induction on the least index n such that -193^* [m/n] 
holds. 

To allow us to carry out a case analysis on whether (^^^ holds, we also assume that <^^^ satisfies 
the principle of excluded middle; that is, we assume that Determinate{ip'^) =dcf Determinateiyn. 
{ip^^[m/n\y). For similar reasons, we also restrict tpf to being stable and determinate; that is, we 
require that Stable (ip'g) and Determmate{(pg^) both hold. 

The third condition we impose establishes a connection between (/5|^ and ip'l^, and ensures that, for 
all values n, if 0g'[m/n] holds, then eventually ip'^lm/n] will also hold: 

Implies {(ff ,(f''j^) =def XSys. Ves G Sys. Vn. \/es@S G es. I{ipg'[m/n]){Sys, state before es) =^ 

3eij y es@R G es. I{(p^^[m/n]){Sys, state after en). 

To explain the next condition, recall that tpji is meant to represent KR{X{m)). With this inter- 
pretation, liyk < n. (p^^[m/k]){Sys, state before sendees)) says that R knows the first n bits be- 
fore it sends a message to S. We would like it to be the case that, just as with the knowledge-based 
derivation, when 5 receives i?'s message, S knows that R knows the n^^ bit. Since we think of ip^g 
as saying that KsKji{X{rn)) holds, we expect I{'fg^[m/n]){Sys, state after es) to be true. Define 
Rev {ip'g' , ip^ , Ijis) to be an abbreviation of 

XSys.yes G Sys. yes@S G es. {kindles) = rcv{ljis)) 

Vn. (V/c < n. I{ip'^['m/n]){Sys, state after send{es))) I{ip'g[m/n]) {Sys, state after es). 

With this background, we can describe the last condition. Intuitively, it says that if n is the least 
value for which (p'g fails when S sends a message to R, then tp'^ holds for n upon message dehvery: 

Rcv{p>]^,pf,lsR) ^ 

XSys. Ves G Sys. \/eji@R G es. {kind{eji) = rcv{lsR)) =^ 

Vn. {I{ip>^g[m/n\){Sys, state before send{eji)) =^ I{ip^^[m / n\){Sys , state after en)). 

We denote the conjunction of these conditions as i^^^ {ipf 1 ^^R 1 ^s,cr, Isr, Irs)- The new theorem 
says 

i^^'i^f ,^"1^, is, CR,lsR, Irs) A 
Favrf{ipf, Is, Isr) A Favrf{<p^i,CR, Irs)A 
Vn. VA; < n. ipflm/k] A -^ipf[m/n] ^ (n = cs)A 
Vn. VA: < n. ip'^j^[m/k] A ^ip'^^[m/n] =^ {n = cr) 



28 



We can prove that the following is true for any two distinct actions as and an: 

Pgfiff, is, IsR, as) e Pgl,'{ip'ji\cR, Irs, an) N/ 

^''\^f,^'i,is,CR,lsR,lRs) A FatrSend'^'ilRs) A FairSend^'ilsR) 

where 

Pgf{ipf,is,lsR,as) =def 
Fair-Pg{ipf,ts,lsR,as)® 

@S initially □ (Vn. Vfc < n. (p^g[m/k] A ^(p^^[m/n] ^ n = cs), 

PgRi(PR,CR,lRs,aR)) =def 
Fair-Pg{ip''j^,CR, Irs, ai?)e 

@R initially □ (Vn. Vfe < n. <^|*[m/A;] A ^(p']^[m/n] ^ n = cr). 

In particular, for the terms ts and c/j defined in the previous section, we can show that il)'^^{KsKRX{m), 
KRX{m),ts,CR, IsR, Irs) is true. Thus, the new theorem is indeed a generalization of the previous 
results. 

The formulas KsKRX{m) and KRX{m) are not the only ones that satisfy these conditions. Most 
importantly for the purpose of extracting standard programs, the conditions are satisfied by non-epistemic 
formulas, that is, formulas whose interpretations do not depend on the entire system, just on the local 
states of the sender or the receiver agents, respectively. Note that Lemma 12.121 guarantees that the 
extracted program is consistent. 

For example, we can take to be an S'-local variable that stores the largest n such that S has 
received requests from R for all of the first n bits in X; that is, initially is set to to —1, and if S 
receives a request for X{n) and xs = n — 1, then xs is set to n. We similarly take xr to be an i?-local 
variable that stores the largest n such that R has received the first n — 1 bits of X from S . That is, 
initially, xr is set to 0; if R receives a message of the form (n, msg) from S and xr = n — 1, then xr 
is set to n. We have in mind a setting in which the receiver requests bits from the sender in order, that 
is, R starts by requesting X{Q), and does not request X{n) before receiving X{n — 1). Similarly, the 
aim is to have the sender send bits in order; that is, S does not not send X{n + 1) before S knows that 
X{n) has been received. For the generalized knowledge-based formulation of the STP problem, we use 
a formula (p^^ that is meant to correspond to KsKRX{m). Given the intuition above, at all times, S 
knows that R has received bits 0, . . . , — 1; that is, (p^g{m) holds here iff xs > rn. Since (pg' holds 
iff there is a least m such that ^(p{m) holds, Lp^g is vacuously true here. Moreover, the term Cg that 
represents the least such m is just xs- Similarly, the formula t^^'' is meant to correspond to KRX{m); 
here we can take ip'^ to be xr > m. Again, c^^'' becomes vacuously true, and the corresponding term 
Cr, which represents the least m such that (^^^ does not hold, is just xr. 

It is not hard to show that ip^^{xs > mxR > m, {xs,X{xs)),xr, Isr, Irs) holds in the system 
generated by Pg{true, {xs,X{xs)),lsR, «s) ® Pg{irue,XR, Irs, ur), for any distinct actions as and 
aR-, this specification is not knowledge-based. Recall that 'Pstpi'^'ii) is 'in.()ip^[m/n]. In this context, 
it is the formula Vn.O(x_R = n). In addition, (pg^p{xR > m) implies tp^^p (in the system generated by 
Pg{true, {xs, X{xs)),lsR, «s) © Pg{true, xr, Irs, cir)), so if message communication is fair, 

Pg{true, {xs,X{xs)),lsR,as) © Pg{true,XR,lRs,aR) 

satisfies the STP specification, as long as as and ur are distinct actions. We can easily give a justification 
for this result: If R follows Pg{true, xr, Irs, ur) and S follows Pg{true, {xs, Xs{xs),lsR-, o-s)> then 
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R starts by sending message to S; since communication is fair, eventually S receives this message, 
and xs is set to 0; S starts sending (0, X{0)) to R; since communication is fair, eventually R receives 
this message, so R sets xr to 1, stops sending message to S, and starts sending message 1 to S. 
It is not difficult to show that, for all values n, there is a time when xr is set to n, which triggers 
R to send message n to S*. S eventually receives this message and starts sending {n,X{n)) to R. 
This, in turn, ensures that R eventually receives this message and thus learns X{n). Note that the 
program Pg{true, (xg, Xs{xs)), Isn^ cis)(!BPg{true,XR, Irs, clr) is realizable. We have thus extracted 
a standard program that realizes the STP specification. In fact, the program turns out to be essentially 
equivalent to Stenning's II1976I protocol. 

The key point here is that by replacing the knowledge tests by weaker predicates that imply them and 
do not explicitly mention knowledge, we can derive standard programs that implement the knowledge- 
based program. We believe that other standard implementations of the knowledge-based program can 
be derived in a similar way. 



5 Conclusion and Future Work 



We have shown that the mechanism for synthesizing programs from specifications in Nuprl can be 
extended to knowledge-based programs and specifications. Moreover, we have shown that axioms much 
in the spirit of those used for standard programs can be used to synthesize kb programs as well. We 
applied this methodology to the analysis of the sequence transmission problem and showed that the kb 
programs of proposed by Halpern and Zuck for solving the STP problem can be synthesized in Nuprl. 
We also sketched an approach for deriving standard programs that implement the kb programs that 
solve the STP. A feature of our approach is that the extracted standard programs are close to the type of 
pseudocode designers write their programs in, and can be translated into running code. 

There has been work on synthesizing both standard programs and kb programs from kb specifica- 
tions. In the case of synchronous systems with only one process. Van der Meyden and Vardi [1998] 
provide a necessary and sufficient condition for a certain type of kb specification to be realizable, and 
show that, when it holds, a program can be extracted that satisfies the specification. Still assuming a syn- 
chronous setting, but this time allowing multiple agents, Engelhardt, van der Meyden, and Moses [ 19981 
|2P01 1 propose a refinement calculus in which one can start with an epistemic and temporal specifica- 
tion and use refinement rules that eventually lead to standard formulas. The refinement rules annotate 
formulas with preconditions and postconditions, which allow programs to be synthesized from the leaf 
formulas in a straightforward way. A search up the tree generated in the refinement process suffices to 
build a program that satisfies the specification. The extracted programs are objects of a programming 
language that allows concurrent and sequential executions, variable assignments, loops and conditional 
statements. 

We see our method for synthesizing programs from kb specifications as an alternative to this ap- 
proach. As in the Engelhart et al. approach, the programs extracted in Nuprl are close to realistic pro- 
gramming languages. Arguably, distributed I/O message automata are general enough to express most 
of the distributed programs of interest when communication is done by message passing. Our approach 
has the additional advantage of working in asynchronous settings. 

A number of questions, both theoretical and more applicative, still remain open. While synthesis 
of distributed programs from epistemic and temporal specifications is undecidable in general, recent re- 
sults [Meyden and Wilke 2005 [ show that, under certain assumptions about the setting in which agents 
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communicate, the problem is decidable. It would be worth understanding the extent to which these as- 
sumptions apply to our setting. Arguably, to prove a result of this type, we need a better understanding 
of how properties of a number of kb programs relate to the properties of their composition; this would 
also allow us to prove stronger composition rules than the one presented in Section [3]2] As we said, we 
believe that the approach that we sketched for extracting a standard program from the kb specification 
for the STP problem can be extended into a general methodology. As pointed out by Engelhart et al., 
the key difficulty in extracting standard programs from abstract specifications is in coming up with good 
standard tests to replace the abstract tests in a program. However, it is likely that, by reducing the com- 
plexity of the problem and focusing only on certain classes of kb specifications, "good" standard tests 
can be more easily identified. We plan to investigate heuristics for finding such tests and to implement 
them as tactics in Nuprl. 
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